Kronos crims go retro, Apple builds cop portal, Swiss cheesed over Russian hack bid, etc

Roundup This was the week of ice cold exploits, re-appearing JavaScript nasties, and of course Patch Tuesday. A few other things happened too…

Android gets its monthly patch-up

Microsoft and Adobe weren't the only ones to kick out monthly updates recently. Google also issued the September update for Android.

This month, fixes included remote code execution flaws in the Android Runtime (CVE-2018-9466), Library (CVE-2018-9472) and Media Framework (CVE-2018-9411, CVE-2018-9427). The update also addresses a number of elevation of privilege and information disclosure flaws.

When you get the update will depend on your device and carrier. In the case of Google's own Pixel hardware, you should be able to download the patches now.

Kronos malware wakes up

Researchers with Securonix say that the long-dormant Kronos malware appears to have reactivated with a new phishing campaign.

Now known as Osiris, the malware has been spotted spreading through targeted phishing attacks localized for Germany, Poland and Japan and attempting to harvest login credentials from well-known banking sites. The researchers note this is the first time in years Kronos or one of its variants have spotted actively spreading.

If the name Kronos sounds familiar, it's probably because British security star Marcus Hutchins was charged last year with allegedly helping to create the malware back when he was still a teenager. The FBI has charged Hutchens with six felony counts.

Apple to build police portal

Apple is said to be in the process of creating a web portal that would allow police to directly contact the Cupertino giant when seeking data from a person's iCloud account.

A letter sent from Cook and Co. to US Senator Sheldon Whitehouse (D-RI) describes how the portal would not only allow law enforcement agencies to submit requests, but also track their progress.

Apple, which is now paying out rewards via its bug bounty program, is also planning to put together an outreach team that would teach officers how to use the portal and what sort of digital evidence they would be allowed to access from customer accounts.

Hopefully those cops can track down the crooks charging $1,500 for a phone.

Russians accused of trying to hack Swiss chemicals lab

A pair of Russian nationals who were recently expelled from the Netherlands have been accused of trying to hack a Swiss lab that conducts chemical weapons tests.

The AP claims the pair were attempting to break into the Spiez Laboratory.

The lab had been analyzing compounds found at the scene of the March Novichok poisoning of Sergei Skripal and his daughter Yulia in England. It doesn't take much imagination to think what intruders may have been up to.

Fortunately, it looks like the pair failed. Authorities report that the attacks were unsuccessful, and the two Russians were arrested in the Hague and subsequently deported back to Moscow.

Researchers re-swipe Intel firmware keys

A high-profile Intel exploit from 2017 is back in the news after researchers found a new way to re-open a vulnerability that would potentially allow an attacker to lift encryption keys.

Researchers with Positive Technologies say they have found a new vulnerability that lets an attacker then re-exploit other flaws that give access to two "non-intel" secret keys.

Armed with those keys, an attacker could then decode sensitive information such as passwords that would allow them to take over Intel Management Engine (ME) firmware controls in PCs and servers.

Fortunately, the flaw is not remotely exploitable, an attacker would have to have direct physical access to the machine in question.

Intel has also pushed out a firmware update, so those who would be worried about the bug can get a fix now.

It's 2018, and EternalBlue exploits are still pwning PCs

It has been more than a year since the EternalBlue exploit was released amidst a trove of stolen NSA hacking tools, and the Windows attack is still successfully infecting machines.

Cybereason has the story on Wannamine, a crypto mining infection that uses EternalBlue to get into machines and use their processor power to create new crypto coins.

This is particularly frustrating for security consultants and companies that are trying to block emerging threats, only to have machines compromised from a 15 month-old bug in a poorly-maintained workstation.

"Until organizations patch and update their computers, they’ll continue to see attackers use these exploits for a simple reason: they lead to successful campaigns," notes Cybereason.

"Part of giving the defenders an advantage means making the attacker’s job more difficult by taking steps to boost an organization’s security. Patching vulnerabilities, especially the ones associated with EternalBlue, falls into this category."

Grindr findr can get you in a bindr

Hookup app Grindr is being criticized for its failure to patch a security hole that could let third-parties track users across a given city.

Queer Europe reports that the Grindr API is potentially allowing non-users to create entire maps of men looking for hookups on Grindr, as well as their HIV status and interests.

The group worries that the feature can be abused both to invade the privacy of Grindr users (including tracking individuals across the map without their consent) and target people for harassment and attacks, particularly in countries that are not friendly to the gay community.

Queer Europe is calling on Grindr to take a number of steps to better protect users, including limiting the accuracy and speed of location-tracking features and turning off the distance-tracking feature by default.

"To prevent data harvesting on a large scale," the group writes, "Grindr should also protect its API, by limiting the amount of information that can be requested." ®